informa
News

New Windows Worm on the Loose

As much chameleon as worm, Win32.Detnat.a affects executable files in Windows 98, ME, NT, 2000, XP, and Server 2003

A new worm, dubbed "Win32.Detnat.a," is on the loose and works in stealth mode with its eye on Windows machines.

MicroWorld Technologies issued a warning on this latest exploit today after increased sightings and concerns among its researchers that, if executed, the worm could spread like wildfire, according to Agnelo Fernandes, technical head for MicroWorld Technologies USA. "It's very hard for an antivirus program to detect it because it keeps changing every time it infects a new file," he says. The security firm first spotted this worm back in May.

As much chameleon as worm, Win32.Detnat.a affects executable files in Windows 98, ME, NT, 2000, XP, and Server 2003, and it hides itself by using a different mode of encryption each time it infects a file. It also keeps file sizes unchanged, so it's harder to detect, Fernandes says. It aims to infect shared network files and resources.

But it only spreads if a user executes an infected file, either through an email attachment or an infected Website, he says, so its risk is relatively low. But Fernandes warns that if this worm does get launched via an executable file, it instantly infects all executable files in a network.

It works like this: The worm copies the infected file to a Windows Temporary folder and then cleans up the file. The infected file then copies itself to the original file name to the Windows current folder where it was first executed. It downloads and executes files from two central Websites: http://www.cm9998.com and http://www.korearace.com.

"It's novel in how it tries keep itself hidden," says Jose Nazario, senior security researcher for Arbor Networks. "It's not changing passwords for a few bytes here or there" like other stealth worms, he says.

But some industry experts say Win32.Detnat.a is just another iteration of most viruses. The real threat here is this type of getting past the corporate firewall and into the internal network. "If a virus owns your computer, you're giving it access" to your network, says Tom Ptacek, a security researcher with Matasano Security. "If an email virus launches a second piece of malware to attack network printers, for example, which are totally vulnerable, your checks couldn't be printed anymore.

Ptacek says these viruses were a dime a dozen in the '90s when attackers could write them with the GUI-based Virus Creation Labs tool.

And Win32.Detnat.a does require a user to execute the infected file, typically sent via a bogus email, says Nazario, who concurs with Ptacek that the real danger lies in internal network infection.

The more frightening type of worm is one that doesn't require any user interaction, such as those targeted at browsers or email clients, Ptacek says. "This [new] virus isn't any different than one you can create with a GUI."

To prevent getting infected, you need an updated AV application as well as a firewall that blocks unwanted HTML requests, according to MicroWorld.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Matasano Security LLC
  • Microsoft Corp. (Nasdaq: MSFT)
  • MicroWorld Technologies Inc.
  • Arbor Networks Inc.

  • Recommended Reading: